So I was reading an article that was talking about how easy it would be to read and log a person's direct messages (DMs), simply by getting them to log-in to a Twitter application with the Twitter OAuth.
I thought, Wow, no it can't possibly be that easy or I surely would have heard about it. After all, I read all the daily industry e-zines, Twitter tweets, and Facebook posts. Surely, someone would be yelling this from the rooftops.
OK. Well, I found a few developers who mentioned it, but not a whole lot of, "Hey, this might be a really bad thing." So I thought, nah, this really can't be. Then I decided to test this for myself and asked my friends Rick Wargo and Gary-Adam Shannon for some help. And, wow, was I unpleasantly surprised.
So the answer is, yes, you can log someone's DMs by getting them to log-in to an application or website using the Twitter OAuth screen, but do you know how easy it is? Like taking candy from a baby. Actually taking candy from a baby is probably harder, have you ever felt a baby's grip? They're pretty tough!
How many times have you used this screen to log-in to some website or application?
Probably more than you can count, right? If you're like me, you've gotten used to using this seemingly harmless log-in that you don't even think about it anymore.
Well, seems maybe we should've been. This little harmless piece of log-in code isn't harmless at all if you use Twitter -- and definitely not if you use Twitter DMs as a sort of private text message system.
It seems that Twitter doesn't use a granular permissions system. Translation: when you agree to allow access to log-in you also agree to let the developer who created this log-in access to your direct messages (well all your messages). Your DMs are there for him (or her) to see, to log, to do basically whatever he or she wants with them.
If you want the really cool and technical explanation, Gary-Adam Shannon's great article, "Twitter Exploit Warning: How Anyone Can Easily Snatch Your Direct Messages," explains how it happens, the programming involved, and the techniques invoked. If you want the layman's version, keep reading as I ran a very simple test myself just this weekend with friend and programmer extraordinaire, Rick Wargo.
Note: these are dummy accounts and the test site has been disabled. Disclaimer: Most developers are decent honest people and don't want access to your private data. I've worked in development groups for most of my 11 years in web development and they want as little access to private data as possible. The intent of the following is to draw attention to potential abuses, not to draw into question the intent of the typical application developers.
The Twitter DM Test
The screenshot shows how a simple OAuth log-in can be used to capture both sides of a DM conversation (or just all the DMs of the person who logged in).
This is an actual screenshot of the test site off my computer. The direct conversation between me (TestingDM) and the person trapping my DMs (RickWargo) is now captured. From here, he can do whatever he wants with the data, even make it public.
Of course, this kind of application made public would likely be shut down, but what does it matter to close the door, once the data horse is out of the barn, so to speak.
So What if Some Random Programmer Can Read my DMs?
Let's take this out from the "meh" to the tin foil hat party. What can you do with this type of information? What are some of the possible abuses of this data?
- The Purely Curious: Bored teenager hacker neighbors lure you to a page to find out what you did Saturday night. OK, not that concerned.
- The Ex-Whomever: Maybe they remember your love of "Star Wars" or know you're a "Bing Bang" fanatic. Maybe they have some code skills, hmmmm, let's make an application send you a link, Bazzinga! Great phone bathroom reading material! Plus they know just why you're no longer sitting home on Saturday nights listening to Journey.
- Stalkers: Take the above, add a nefarious component, and there you go.
- Criminals: Well they know where you're going via all your Foursquaring and Facebooking, but just that little added data they need to get the real deets.
- Famous People: If you're famous, stop using DMs for private messaging now. Really. Well, unless you want it on the front page of [Insert Rag Weekly Here”. That is all.
- Corporations: Who's to say a corporate type couldn't instruct its corporation to add a little Twitter log-in to its application process. "Wow, Jenny was so sweet when we interviewed her, we had no idea!" OK, so probably not legal, but it isn't like anyone would be public about it.
- Governments: Anyone who was privy to the human rights abuses that occurred during the Iran Election Crisis in June 2009 (and still today) and understands the role Twitter played also is probably now wondering how many lives were lost, how many people detained and imprisoned because the direct message data was perceived to be private, and now is known not to be so.
- The Who Knows: Because there is no expectation of privacy legally, because we have no idea how crafty the criminal, corporate, or purely curious mind can get, there should be no excuse for this lapse in securing "private data." Why? Whether truly private or not, Twitter knows its users perceive it to be private. Why? Because it could simply be locked down. Add a checkbox, "Do you want to exclude direct messaging to the OAuth log-in or granularity to the API?" Most developers of the non-nefarious persuasion I know really would never want access to this information in the first place.
Some of this may seem a bit dramatic. It's meant to be. We need to wake up and start demanding that companies take better care of our private information and that when they know data is not private that they inform us.
Yikes, What Can I do Right Now?
There is one solution for the time being. Erase your direct messages. That will delete anyone from having access to them as it removes them from the server -- as long as no one is reading them now.
Do you hear me Gary? Mine are all gone, so you can stop reading now! (NOTE: I know Gary personally, so the previous sentence was said in jest! Well, maybe. You never know with those black hats!)
Now go read Gary's article. It's filled with excellent information on how easy it is to do what I've just talked about.
Join us for SES Chicago 2010, the Leading Search & Social Marketing Event, taking place October 18-22! The conference offers 70+ sessions on topics including PPC management, keyword research, SEO, social media, local, mobile, link building, duplicate content, multiple site issues, video optimization, site optimization, usability and more.
The Original Search Marketing Event is Back!
SES Denver (Oct 16) offers an intense day of learning all the critical aspects of search engine optimization (SEO) and paid search advertising (PPC). The mission of SES remains the same as it did from the start - to help you master being found on search engines. Early Bird rates available through Sept 12. Register today!